2 Unix SMB/Netbios implementation.
4 LDAP protocol helper functions for SAMBA
5 Copyright (C) Shahms King 2001
6 Copyright (C) Jean François Micouleau 1998
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 * persistent connections: if using NSS LDAP, many connections are made
29 * however, using only one within Samba would be nice
31 * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
33 * Other LDAP based login attributes: accountExpires, etc.
34 * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
35 * structures don't have fields for some of these attributes)
37 * SSL is done, but can't get the certificate based authentication to work
38 * against on my test platform (Linux 2.4, OpenLDAP 2.x)
41 /* NOTE: this will NOT work against an Active Directory server
42 * due to the fact that the two password fields cannot be retrieved
43 * from a server; recommend using security = domain in this situation
51 #define SAM_ACCOUNT struct sam_passwd
61 static struct ldap_enum_info global_ldap_ent;
64 /*******************************************************************
65 open a connection to the ldap server.
66 ******************************************************************/
68 ldap_open_connection (LDAP ** ldap_struct)
72 int tls = LDAP_OPT_X_TLS_HARD;
74 if (lp_ldap_ssl() == LDAP_SSL_ON && lp_ldap_port() == 389) {
78 port = lp_ldap_port();
81 if ((*ldap_struct = ldap_init(lp_ldap_server(), port)) == NULL) {
82 DEBUG(0, ("The LDAP server is not responding !\n"));
86 /* Connect to older servers using SSL and V2 rather than Start TLS */
87 if (ldap_get_option(*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS)
89 if (version != LDAP_VERSION2)
91 version = LDAP_VERSION2;
92 ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
96 switch (lp_ldap_ssl())
98 case LDAP_SSL_START_TLS:
99 if (ldap_get_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION,
100 &version) == LDAP_OPT_SUCCESS)
102 if (version < LDAP_VERSION3)
104 version = LDAP_VERSION3;
105 ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION,
109 if ((rc = ldap_start_tls_s (*ldap_struct, NULL, NULL)) != LDAP_SUCCESS)
112 ("Failed to issue the StartTLS instruction: %s\n",
113 ldap_err2string(rc)));
116 DEBUG (2, ("StartTLS issued: using a TLS connection\n"));
119 if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
121 DEBUG(0, ("Failed to setup a TLS session\n"));
128 DEBUG(2, ("ldap_open_connection: connection opened\n"));
132 /*******************************************************************
133 connect to the ldap server under system privilege.
134 ******************************************************************/
135 static BOOL ldap_connect_system(LDAP * ldap_struct)
138 static BOOL got_pw = False;
139 static pstring ldap_secret;
141 /* get the password if we don't have it already */
142 if (!got_pw && !(got_pw=fetch_ldap_pw(lp_ldap_admin_dn(), ldap_secret, sizeof(pstring))))
144 DEBUG(0, ("ldap_connect_system: Failed to retrieve password for %s from secrets.tdb\n",
145 lp_ldap_admin_dn()));
149 /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
150 (OpenLDAP) doesnt' seem to support it */
151 if ((rc = ldap_simple_bind_s(ldap_struct, lp_ldap_admin_dn(),
152 ldap_secret)) != LDAP_SUCCESS)
154 DEBUG(0, ("Bind failed: %s\n", ldap_err2string(rc)));
158 DEBUG(2, ("ldap_connect_system: succesful connection to the LDAP server\n"));
162 /*******************************************************************
163 run the search by name.
164 ******************************************************************/
165 static int ldap_search_one_user (LDAP * ldap_struct, const char *filter, LDAPMessage ** result)
167 int scope = LDAP_SCOPE_SUBTREE;
170 DEBUG(2, ("ldap_search_one_user: searching for:[%s]\n", filter));
172 rc = ldap_search_s (ldap_struct, lp_ldap_suffix (), scope,
173 filter, NULL, 0, result);
175 if (rc != LDAP_SUCCESS) {
176 DEBUG(0,("ldap_search_one_user: Problem during the LDAP search: %s\n",
177 ldap_err2string (rc)));
178 DEBUG(3,("ldap_search_one_user: Query was: %s, %s\n", lp_ldap_suffix(),
184 /*******************************************************************
185 run the search by name.
186 ******************************************************************/
187 static int ldap_search_one_user_by_name (LDAP * ldap_struct, const char *user,
188 LDAPMessage ** result)
193 in the filter expression, replace %u with the real name
194 so in ldap filter, %u MUST exist :-)
196 pstrcpy(filter, lp_ldap_filter());
198 /* have to use this here because $ is filtered out
201 all_string_sub(filter, "%u", user, sizeof(pstring));
203 return ldap_search_one_user(ldap_struct, filter, result);
206 /*******************************************************************
207 run the search by uid.
208 ******************************************************************/
209 static int ldap_search_one_user_by_uid(LDAP * ldap_struct, int uid,
210 LDAPMessage ** result)
215 /* Get the username from the system and look that up in the LDAP */
216 user = sys_getpwuid(uid);
217 pstrcpy(filter, lp_ldap_filter());
218 all_string_sub(filter, "%u", user->pw_name, sizeof(pstring));
220 return ldap_search_one_user(ldap_struct, filter, result);
223 /*******************************************************************
224 run the search by rid.
225 ******************************************************************/
226 static int ldap_search_one_user_by_rid (LDAP * ldap_struct, uint32 rid,
227 LDAPMessage ** result)
232 /* check if the user rid exsists, if not, try searching on the uid */
233 snprintf(filter, sizeof(filter) - 1, "rid=%i", rid);
234 rc = ldap_search_one_user(ldap_struct, filter, result);
236 if (rc != LDAP_SUCCESS)
237 rc = ldap_search_one_user_by_uid(ldap_struct,
238 pdb_user_rid_to_uid(rid), result);
243 /*******************************************************************
244 search an attribute and return the first value found.
245 ******************************************************************/
246 static void get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
247 char *attribute, char *value)
251 if ((valeurs = ldap_get_values (ldap_struct, entry, attribute)) != NULL) {
252 pstrcpy(value, valeurs[0]);
253 ldap_value_free(valeurs);
254 DEBUG (2, ("get_single_attribute: [%s] = [%s]\n", attribute, value));
258 DEBUG (2, ("get_single_attribute: [%s] = [NULL]\n", attribute));
262 /************************************************************************
263 Routine to manage the LDAPMod structure array
264 manage memory used by the array, by each struct, and values
266 ************************************************************************/
267 static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value)
275 if (attribute == NULL || *attribute == '\0')
278 if (value == NULL || *value == '\0')
283 mods = (LDAPMod **) malloc(sizeof(LDAPMod *));
286 DEBUG(0, ("make_a_mod: out of memory!\n"));
292 for (i = 0; mods[i] != NULL; ++i) {
293 if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute))
299 mods = (LDAPMod **) realloc (mods, (i + 2) * sizeof (LDAPMod *));
302 DEBUG(0, ("make_a_mod: out of memory!\n"));
305 mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
308 DEBUG(0, ("make_a_mod: out of memory!\n"));
311 mods[i]->mod_op = modop;
312 mods[i]->mod_values = NULL;
313 mods[i]->mod_type = strdup(attribute);
320 if (mods[i]->mod_values != NULL) {
321 for (; mods[i]->mod_values[j] != NULL; j++);
323 mods[i]->mod_values = (char **)realloc(mods[i]->mod_values,
324 (j + 2) * sizeof (char *));
326 if (mods[i]->mod_values == NULL) {
327 DEBUG (0, ("make_a_mod: Memory allocation failure!\n"));
330 mods[i]->mod_values[j] = strdup(value);
331 mods[i]->mod_values[j + 1] = NULL;
336 /* New Interface is being implemented here */
338 /**********************************************************************
339 Initialize SAM_ACCOUNT from an LDAP query
340 (Based on init_sam_from_buffer in pdb_tdb.c)
341 *********************************************************************/
342 static BOOL init_sam_from_ldap (SAM_ACCOUNT * sampass,
343 LDAP * ldap_struct, LDAPMessage * entry)
349 pass_can_change_time,
350 pass_must_change_time;
351 static pstring username;
352 static pstring domain;
353 static pstring nt_username;
354 static pstring fullname;
355 static pstring homedir;
356 static pstring dir_drive;
357 static pstring logon_script;
358 static pstring profile_path;
359 static pstring acct_desc;
360 static pstring munged_dial;
361 static pstring workstations;
362 struct passwd *sys_user;
363 uint32 user_rid, group_rid;
364 static uint8 smblmpwd[16];
365 static uint8 smbntpwd[16];
366 uint16 acct_ctrl, logon_divs;
371 get_single_attribute(ldap_struct, entry, "uid", username);
372 DEBUG(2, ("Entry found for user: %s\n", username));
374 pstrcpy(nt_username, username);
376 get_single_attribute(ldap_struct, entry, "sambaDomain", domain);
378 pstrcpy(domain, lp_workgroup());
380 get_single_attribute(ldap_struct, entry, "pwdLastSet", temp);
381 pass_last_set_time = (time_t) strtol(temp, NULL, 16);
383 get_single_attribute(ldap_struct, entry, "logonTime", temp);
384 logon_time = (time_t) strtol(temp, NULL, 16);
386 get_single_attribute(ldap_struct, entry, "logoffTime", temp);
387 logoff_time = (time_t) strtol(temp, NULL, 16);
389 get_single_attribute(ldap_struct, entry, "kickoffTime", temp);
390 kickoff_time = (time_t) strtol(temp, NULL, 16);
392 get_single_attribute(ldap_struct, entry, "pwdCanChange", temp);
393 pass_can_change_time = (time_t) strtol(temp, NULL, 16);
395 get_single_attribute(ldap_struct, entry, "pwdMustChange", temp);
396 pass_must_change_time = (time_t) strtol(temp, NULL, 16);
398 /* recommend that 'gecos' and 'displayName' should refer to the same
399 * attribute OID. userFullName depreciated, only used by Samba
400 * primary rules of LDAP: don't make a new attribute when one is already defined
401 * that fits your needs; using gecos then displayName then cn rather than 'userFullName'
404 get_single_attribute(ldap_struct, entry, "gecos", fullname);
407 get_single_attribute(ldap_struct, entry, "displayName", fullname);
408 get_single_attribute(ldap_struct, entry, "cn", fullname);
411 get_single_attribute(ldap_struct, entry, "homeDrive", dir_drive);
412 DEBUG(5,("homeDrive is set to %s\n",dir_drive));
414 pstrcpy(dir_drive, lp_logon_drive());
415 DEBUG(5,("homeDrive fell back to %s\n",dir_drive));
418 get_single_attribute(ldap_struct, entry, "smbHome", homedir);
419 DEBUG(5,("smbHome is set to %s\n",homedir));
421 pstrcpy(homedir, lp_logon_home());
422 DEBUG(5,("smbHome fell back to %s\n",homedir));
425 get_single_attribute(ldap_struct, entry, "scriptPath", logon_script);
426 DEBUG(5,("scriptPath is set to %s\n",logon_script));
427 if (!*logon_script) {
428 pstrcpy(logon_script, lp_logon_script());
429 DEBUG(5,("scriptPath fell back to %s\n",logon_script));
432 get_single_attribute(ldap_struct, entry, "profilePath", profile_path);
433 DEBUG(5,("profilePath is set to %s\n",profile_path));
434 if (!*profile_path) {
435 pstrcpy(profile_path, lp_logon_path());
436 DEBUG(5,("profilePath fell back to %s\n",profile_path));
439 get_single_attribute(ldap_struct, entry, "description", acct_desc);
440 get_single_attribute(ldap_struct, entry, "userWorkstations", workstations);
441 get_single_attribute(ldap_struct, entry, "rid", temp);
442 user_rid = (uint32)strtol(temp, NULL, 10);
443 get_single_attribute(ldap_struct, entry, "primaryGroupID", temp);
444 group_rid = (uint32)strtol(temp, NULL, 10);
447 /* These values MAY be in LDAP, but they can also be retrieved through
448 * sys_getpw*() which is how we're doing it (if you use nss_ldap, then
449 * these values will be stored in LDAP as well, but if not, we want the
450 * local values to override the LDAP for this anyway
451 * homeDirectory attribute
453 sys_user = sys_getpwnam(username);
454 if (sys_user == NULL)
458 /* FIXME: hours stuff should be cleaner */
461 hours = malloc(sizeof(hours) * hours_len);
462 memset(hours, 0xff, hours_len);
464 get_single_attribute (ldap_struct, entry, "lmPassword", temp);
465 pdb_gethexpwd(temp, smblmpwd);
466 memset((char *)temp, '\0', sizeof(temp));
467 get_single_attribute (ldap_struct, entry, "ntPassword", temp);
468 pdb_gethexpwd(temp, smbntpwd);
469 memset((char *)temp, '\0', sizeof(temp));
470 get_single_attribute (ldap_struct, entry, "acctFlags", temp);
471 acct_ctrl = pdb_decode_acct_ctrl(temp);
474 acct_ctrl |= ACB_NORMAL;
477 pdb_set_acct_ctrl(sampass, acct_ctrl);
478 pdb_set_logon_time(sampass, logon_time);
479 pdb_set_logoff_time(sampass, logoff_time);
480 pdb_set_kickoff_time(sampass, kickoff_time);
481 pdb_set_pass_can_change_time(sampass, pass_can_change_time);
482 pdb_set_pass_must_change_time(sampass, pass_must_change_time);
483 pdb_set_pass_last_set_time(sampass, pass_last_set_time);
485 pdb_set_hours_len(sampass, hours_len);
486 pdb_set_logons_divs(sampass, logon_divs);
488 pdb_set_uid(sampass, sys_user->pw_uid);
489 pdb_set_gid(sampass, sys_user->pw_gid);
490 pdb_set_user_rid(sampass, user_rid);
491 pdb_set_group_rid(sampass, group_rid);
493 pdb_set_username(sampass, username);
495 pdb_set_domain(sampass, domain);
496 pdb_set_nt_username(sampass, nt_username);
498 pdb_set_fullname(sampass, fullname);
500 pdb_set_logon_script(sampass, logon_script);
501 pdb_set_profile_path(sampass, profile_path);
502 pdb_set_dir_drive(sampass, dir_drive);
503 pdb_set_homedir(sampass, homedir);
504 pdb_set_acct_desc(sampass, acct_desc);
505 pdb_set_workstations(sampass, workstations);
506 pdb_set_munged_dial(sampass, munged_dial);
507 if (!pdb_set_nt_passwd(sampass, smbntpwd))
509 if (!pdb_set_lanman_passwd(sampass, smblmpwd))
512 /* pdb_set_unknown_3(sampass, unknown3); */
513 /* pdb_set_unknown_5(sampass, unknown5); */
514 /* pdb_set_unknown_6(sampass, unknown6); */
516 pdb_set_hours(sampass, hours);
521 /**********************************************************************
522 Initialize SAM_ACCOUNT from an LDAP query
523 (Based on init_buffer_from_sam in pdb_tdb.c)
524 *********************************************************************/
525 static BOOL init_ldap_from_sam (LDAPMod *** mods, int ldap_state, const SAM_ACCOUNT * sampass)
532 * took out adding "objectclass: sambaAccount"
533 * do this on a per-mod basis
537 make_a_mod(mods, ldap_state, "uid", pdb_get_username(sampass));
538 DEBUG(2, ("Setting entry for user: %s\n", pdb_get_username(sampass)));
540 /* not sure about using this for the nt_username */
541 make_a_mod(mods, ldap_state, "sambaDomain", pdb_get_domain(sampass));
543 slprintf(temp, sizeof(temp) - 1, "%i", pdb_get_uid(sampass));
544 make_a_mod(mods, ldap_state, "uidNumber", temp);
546 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
547 make_a_mod(mods, ldap_state, "pwdLastSet", temp);
549 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
550 make_a_mod(mods, ldap_state, "logonTime", temp);
552 slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
553 make_a_mod(mods, ldap_state, "logoffTime", temp);
555 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
556 make_a_mod(mods, ldap_state, "kickoffTime", temp);
558 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
559 make_a_mod(mods, ldap_state, "pwdCanChange", temp);
561 slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
562 make_a_mod(mods, ldap_state, "pwdMustChange", temp);
564 /* displayName, cn, and gecos should all be the same
565 * most easily accomplished by giving them the same OID
566 * gecos isn't set here b/c it should be handled by the
570 make_a_mod(mods, ldap_state, "displayName", pdb_get_fullname(sampass));
571 make_a_mod(mods, ldap_state, "cn", pdb_get_fullname(sampass));
573 make_a_mod(mods, ldap_state, "smbHome", pdb_get_homedir(sampass));
574 make_a_mod(mods, ldap_state, "homeDrive", pdb_get_dirdrive(sampass));
575 make_a_mod(mods, ldap_state, "scriptPath", pdb_get_logon_script(sampass));
576 make_a_mod(mods, ldap_state, "profilePath", pdb_get_profile_path(sampass));
577 make_a_mod(mods, ldap_state, "description", pdb_get_acct_desc(sampass));
578 make_a_mod(mods, ldap_state, "userWorkstations", pdb_get_workstations(sampass));
580 if ( !sampass->user_rid )
581 slprintf(temp, sizeof(temp) - 1, "%i", pdb_uid_to_user_rid(pdb_get_uid(sampass)));
583 slprintf(temp, sizeof(temp) - 1, "%i", sampass->user_rid);
584 make_a_mod(mods, ldap_state, "rid", temp);
586 if ( !sampass->group_rid) {
589 if (get_group_map_from_gid(pdb_get_gid(sampass), &map, MAPPING_WITHOUT_PRIV)) {
590 sid_peek_rid(&map.sid, &sampass->group_rid);
593 sampass->group_rid = pdb_gid_to_group_rid(pdb_get_gid(sampass));
596 slprintf(temp, sizeof(temp) - 1, "%i", sampass->group_rid);
597 make_a_mod(mods, ldap_state, "primaryGroupID", temp);
599 /* FIXME: Hours stuff goes in LDAP */
600 pdb_sethexpwd (temp, pdb_get_lanman_passwd(sampass), pdb_get_acct_ctrl(sampass));
601 make_a_mod (mods, ldap_state, "lmPassword", temp);
602 pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass), pdb_get_acct_ctrl(sampass));
603 make_a_mod (mods, ldap_state, "ntPassword", temp);
604 make_a_mod (mods, ldap_state, "acctFlags", pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass),
605 NEW_PW_FORMAT_SPACE_PADDED_LEN));
610 /**********************************************************************
611 Connect to LDAP server for password enumeration
612 *********************************************************************/
613 BOOL pdb_setsampwent(BOOL update)
618 if (!ldap_open_connection(&global_ldap_ent.ldap_struct))
622 if (!ldap_connect_system(global_ldap_ent.ldap_struct))
624 ldap_unbind(global_ldap_ent.ldap_struct);
628 pstrcpy(filter, lp_ldap_filter());
629 all_string_sub(filter, "%u", "*", sizeof(pstring));
631 rc = ldap_search_s(global_ldap_ent.ldap_struct, lp_ldap_suffix(),
632 LDAP_SCOPE_SUBTREE, filter, NULL, 0,
633 &global_ldap_ent.result);
635 if (rc != LDAP_SUCCESS)
637 DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
638 DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter));
639 ldap_msgfree(global_ldap_ent.result);
640 ldap_unbind(global_ldap_ent.ldap_struct);
641 global_ldap_ent.ldap_struct = NULL;
642 global_ldap_ent.result = NULL;
646 DEBUG(2, ("pdb_setsampwent: %d entries in the base!\n",
647 ldap_count_entries(global_ldap_ent.ldap_struct,
648 global_ldap_ent.result)));
650 global_ldap_ent.entry = ldap_first_entry(global_ldap_ent.ldap_struct,
651 global_ldap_ent.result);
656 /**********************************************************************
657 End enumeration of the LDAP password list
658 *********************************************************************/
659 void pdb_endsampwent(void)
661 if (global_ldap_ent.ldap_struct && global_ldap_ent.result)
663 ldap_msgfree(global_ldap_ent.result);
664 ldap_unbind(global_ldap_ent.ldap_struct);
665 global_ldap_ent.ldap_struct = NULL;
666 global_ldap_ent.result = NULL;
670 /**********************************************************************
671 Get the next entry in the LDAP password database
672 *********************************************************************/
673 BOOL pdb_getsampwent(SAM_ACCOUNT * user)
675 if (!global_ldap_ent.entry)
678 global_ldap_ent.entry = ldap_next_entry(global_ldap_ent.ldap_struct,
679 global_ldap_ent.entry);
681 if (global_ldap_ent.entry != NULL)
683 return init_sam_from_ldap(user, global_ldap_ent.ldap_struct,
684 global_ldap_ent.entry);
689 /**********************************************************************
690 Get SAM_ACCOUNT entry from LDAP by username
691 *********************************************************************/
692 BOOL pdb_getsampwnam(SAM_ACCOUNT * user, const char *sname)
698 if (!ldap_open_connection(&ldap_struct))
700 if (!ldap_connect_system(ldap_struct))
702 ldap_unbind(ldap_struct);
705 if (ldap_search_one_user_by_name(ldap_struct, sname, &result) !=
708 ldap_unbind(ldap_struct);
711 if (ldap_count_entries(ldap_struct, result) < 1)
714 ("We don't find this user [%s] count=%d\n", sname,
715 ldap_count_entries(ldap_struct, result)));
716 ldap_unbind(ldap_struct);
719 entry = ldap_first_entry(ldap_struct, result);
722 init_sam_from_ldap(user, ldap_struct, entry);
723 ldap_msgfree(result);
724 ldap_unbind(ldap_struct);
729 ldap_msgfree(result);
730 ldap_unbind(ldap_struct);
735 /**********************************************************************
736 Get SAM_ACCOUNT entry from LDAP by rid
737 *********************************************************************/
738 BOOL pdb_getsampwrid(SAM_ACCOUNT * user, uint32 rid)
744 if (!ldap_open_connection(&ldap_struct))
747 if (!ldap_connect_system(ldap_struct))
749 ldap_unbind(ldap_struct);
752 if (ldap_search_one_user_by_rid(ldap_struct, rid, &result) !=
755 ldap_unbind(ldap_struct);
759 if (ldap_count_entries(ldap_struct, result) < 1)
762 ("We don't find this rid [%i] count=%d\n", rid,
763 ldap_count_entries(ldap_struct, result)));
764 ldap_unbind(ldap_struct);
768 entry = ldap_first_entry(ldap_struct, result);
771 init_sam_from_ldap(user, ldap_struct, entry);
772 ldap_msgfree(result);
773 ldap_unbind(ldap_struct);
778 ldap_msgfree(result);
779 ldap_unbind(ldap_struct);
784 /**********************************************************************
785 Delete entry from LDAP for username
786 *********************************************************************/
787 BOOL pdb_delete_sam_account(const char *sname)
795 if (!ldap_open_connection (&ldap_struct))
798 DEBUG (3, ("Deleting user %s from LDAP.\n", sname));
800 if (!ldap_connect_system (ldap_struct)) {
801 ldap_unbind (ldap_struct);
802 DEBUG(0, ("Failed to delete user %s from LDAP.\n", sname));
806 rc = ldap_search_one_user_by_name (ldap_struct, sname, &result);
807 if (ldap_count_entries (ldap_struct, result) == 0) {
808 DEBUG (0, ("User doesn't exit!\n"));
809 ldap_msgfree (result);
810 ldap_unbind (ldap_struct);
814 entry = ldap_first_entry (ldap_struct, result);
815 dn = ldap_get_dn (ldap_struct, entry);
817 rc = ldap_delete_s (ldap_struct, dn);
820 if (rc != LDAP_SUCCESS) {
822 ldap_get_option (ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
823 DEBUG (0,("failed to delete user with uid = %s with: %s\n\t%s\n",
824 sname, ldap_err2string (rc), ld_error));
826 ldap_unbind (ldap_struct);
830 DEBUG (2,("successfully deleted uid = %s from the LDAP database\n", sname));
831 ldap_unbind (ldap_struct);
835 /**********************************************************************
837 *********************************************************************/
838 BOOL pdb_update_sam_account(const SAM_ACCOUNT * newpwd, BOOL override)
847 if (!ldap_open_connection(&ldap_struct)) /* open a connection to the server */
850 if (!ldap_connect_system(ldap_struct)) /* connect as system account */
852 ldap_unbind(ldap_struct);
856 rc = ldap_search_one_user_by_name(ldap_struct,
857 pdb_get_username(newpwd), &result);
859 if (ldap_count_entries(ldap_struct, result) == 0)
861 DEBUG(0, ("No user to modify!\n"));
862 ldap_msgfree(result);
863 ldap_unbind(ldap_struct);
867 init_ldap_from_sam(&mods, LDAP_MOD_REPLACE, newpwd);
869 entry = ldap_first_entry(ldap_struct, result);
870 dn = ldap_get_dn(ldap_struct, entry);
872 rc = ldap_modify_s(ldap_struct, dn, mods);
874 if (rc != LDAP_SUCCESS)
877 ldap_get_option(ldap_struct, LDAP_OPT_ERROR_STRING,
880 ("failed to modify user with uid = %s with: %s\n\t%s\n",
881 pdb_get_username(newpwd), ldap_err2string(rc),
884 ldap_unbind(ldap_struct);
889 ("successfully modified uid = %s in the LDAP database\n",
890 pdb_get_username(newpwd)));
891 ldap_mods_free(mods, 1);
892 ldap_unbind(ldap_struct);
896 /**********************************************************************
897 Add SAM_ACCOUNT to LDAP
898 *********************************************************************/
899 BOOL pdb_add_sam_account(const SAM_ACCOUNT * newpwd)
907 int ldap_op = LDAP_MOD_ADD;
909 if (!ldap_open_connection(&ldap_struct)) /* open a connection to the server */
914 if (!ldap_connect_system(ldap_struct)) /* connect as system account */
916 ldap_unbind(ldap_struct);
920 if (pdb_get_username(newpwd) != NULL) {
921 slprintf (dn, sizeof (dn) - 1, "uid=%s,%s",
922 pdb_get_username(newpwd), lp_ldap_suffix ());
930 rc = ldap_search_one_user_by_name (ldap_struct, pdb_get_username(newpwd), &result);
932 if (ldap_count_entries(ldap_struct, result) != 0)
934 DEBUG(0,("User already in the base, with samba properties\n"));
935 ldap_msgfree(result);
936 ldap_unbind(ldap_struct);
939 ldap_msgfree(result);
941 slprintf (filter, sizeof (filter) - 1, "uid=%s", pdb_get_username(newpwd));
942 rc = ldap_search_one_user(ldap_struct, filter, &result);
943 if (ldap_count_entries(ldap_struct, result) == 1)
947 DEBUG(3,("User exists without samba properties: adding them\n"));
948 ldap_op = LDAP_MOD_REPLACE;
949 entry = ldap_first_entry (ldap_struct, result);
950 tmp = ldap_get_dn (ldap_struct, entry);
951 slprintf (dn, sizeof (dn) - 1, "%s", tmp);
956 DEBUG (3, ("More than one user with that uid exists: bailing out!\n"));
960 ldap_msgfree(result);
962 init_ldap_from_sam(&mods, ldap_op, newpwd);
963 make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount");
965 if (ldap_op == LDAP_MOD_REPLACE) {
966 rc = ldap_modify_s(ldap_struct, dn, mods);
969 rc = ldap_add_s(ldap_struct, dn, mods);
972 if (rc != LDAP_SUCCESS)
976 ldap_get_option (ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
977 DEBUG(0,("failed to modify user with uid = %s with: %s\n\t%s\n",
978 pdb_get_username(newpwd), ldap_err2string (rc), ld_error));
980 ldap_mods_free(mods, 1);
981 ldap_unbind(ldap_struct);
985 DEBUG(2,("added: uid = %s in the LDAP database\n", pdb_get_username(newpwd)));
986 ldap_mods_free(mods, 1);
987 ldap_unbind(ldap_struct);
992 void dummy_function(void);
994 dummy_function (void)
996 } /* stop some compilers complaining */
git.samba.org / tprouty / samba.git / blob